Field of the Invention
The invention relates to a method for recharging an electronic debit card for cashless clearing or payment transactions including an integrated semiconductor circuit device having at least one address and control logic circuit and a non-volatile memory, at least one part of the non-volatile memory being erasable, and the memory locations of the region, provided for storing the respective value units of the debit card, of the non-volatile memory being divided up into subregions of different significance in each case, erasure of the memory locations being possible simultaneously only for all of the memory locations of a subregion of specific significance, and each subregion being capable of erasure only after a carry value has been written into a previously empty memory location of the subregion of the next highest significance. The invention also relates to an electronic debit card for cashless clearing or payment transactions having an integrated semiconductor circuit device for carrying out the method.
Data-controlled payment systems which are known for the purpose of cashless payment for goods or for the purpose of settlement for services and the like are in the form of data exchange systems in which the debit cards used therein include a non-volatile electronic data memory as an essential element which can be accessed through electric contacts on the card surface. A data input or data output device (point-of-sale terminal) is used by an arithmetic unit to access the memory contents with each use, and the memory contents is changed, if appropriate. Especially in the case of the use of prepaid data carrier configurations, permitting anonymous payment for goods or chargeable services, it must be ensured that the value of the card can only be reduced but not raised by tampering.
Rechargeable debit cards have so far been realized predominantly as processor cards, since the higher computing power of a microprocessor has simplified monitoring of the recharging. However, intelligent memory cards are being increasingly used in low-end payment systems, in particular in prepaid cards. The chip card presently being used by the firm Siemens shows that cryptological authenticity and authorization checks of the participants in payment operations can presently also be realized on a comparable security level through the use of memory chips. However, electronic monitoring of the transferred money amounts through the use of the methods realized by microprocessors would make such cards too expensive.
It is to be assumed in principle in the case of rechargeable debit cards, both on a microprocessor basis and on a memory basis, that not only is a system secret present, but a crypto-algorithm for authenticity checks as well. Nevertheless, various risks are to be considered.
On one hand, even after electronic authentication of the partners participating in recharging, tampering with the book value of the debit card by a thief tampering with the transmitted data cannot be excluded. Moreover, the booking operation is made up of an erase/write cycle of the non-volatile counting region, in which the debit card can temporarily even assume a higher monetary value. An interruption of the charging process at a suitable instant would then lead to an unjustifiably high market value. In that case an erase/write cycle is composed of two operations: firstly, erasing the full counter or subregions of the counter, and thereafter setting or entering the new counter reading. In that case, by definition erasure is the operation in which a relatively large number of information words (bits) are changed in the same sense on memory locations. It is not until writing that the desired specific bit pattern is subsequently generated. For technical security reasons, devaluation by writing individual bits must be the electric discharging operation of memory locations, so that the market value can only decrease in any spontaneous discharge of the cells. Erasure is thus the risky, value-raising operation. In the period between erasing and writing, the counter temporarily assumes a maximum value as an intermediate state which is not recorrected until the writing operations. In the case of the known chip card, the tampering risk resides in that unavoidable intermediate state.